Vulnerability Details : CVE-2023-41267
In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1
Vulnerability category: File inclusion
Products affected by CVE-2023-41267
- cpe:2.3:a:apache:airflow_hdfs_provider:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-41267
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-41267
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2023-41267
-
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Assigned by: security@apache.org (Primary)
References for CVE-2023-41267
-
https://github.com/apache/airflow/pull/33813
Fix package name in exception message for hdfs provider by pierrejeambrun · Pull Request #33813 · apache/airflow · GitHubPatch
-
https://lists.apache.org/thread/ggthr5pn42bn6wcr25hxnykjzh4ntw7z
CVE-2023-41267: Apache HDFS Provider error message suggested installation of incorrect pip package-Apache Mail ArchivesMailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2023/09/14/3
oss-security - CVE-2023-41267: Apache HDFS Provider error message suggested installation of incorrect pip packageMailing List;Third Party Advisory
Jump to